9.1

CVE-2020-7060

Exploit

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.

Data is provided by the National Vulnerability Database (NVD)
PhpPhp Version >= 7.2.0 < 7.2.27
PhpPhp Version >= 7.3.0 < 7.3.14
PhpPhp Version >= 7.4.0 < 7.4.2
TenableTenable.Sc Version < 5.19.0
OpensuseLeap Version15.1
DebianDebian Linux Version8.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 6.4% 0.906
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvd@nist.gov 6.4 10 4.9
AV:N/AC:L/Au:N/C:P/I:N/A:P
security@php.net 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://usn.ubuntu.com/4279-1/
Patch
Third Party Advisory
https://seclists.org/bugtraq/2020/Feb/27
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2020/Feb/31
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2021/Jan/3
Third Party Advisory
Mailing List
https://bugs.php.net/bug.php?id=79037
Patch
Vendor Advisory
Exploit